Adding ENABLE_HARDENING

Enables "safes" assertions even with ENABLE_ASSERTIONS isn't set

17 files changed, 57 insertions, 30 deletions

diff --git a/Makefile.am b/Makefile.am
index f25a9505..9c09decd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -143,11 +143,15 @@ tests_test_opus_decode_LDADD = libopus.la $(NE10_LIBS) $(LIBM)
 tests_test_opus_padding_SOURCES = tests/test_opus_padding.c tests/test_opus_common.h
 tests_test_opus_padding_LDADD = libopus.la $(NE10_LIBS) $(LIBM)
 
-tests_test_opus_projection_SOURCES = tests/test_opus_projection.c tests/test_opus_common.h
-tests_test_opus_projection_LDADD = libopus.la $(NE10_LIBS) $(LIBM)
-
 CELT_OBJ = $(CELT_SOURCES:.c=.lo)
 SILK_OBJ = $(SILK_SOURCES:.c=.lo)
+OPUS_OBJ = $(OPUS_SOURCES:.c=.lo)
+
+tests_test_opus_projection_SOURCES = tests/test_opus_projection.c tests/test_opus_common.h
+tests_test_opus_projection_LDADD = $(OPUS_OBJ) $(SILK_OBJ) $(CELT_OBJ) $(NE10_LIBS) $(LIBM)
+if OPUS_ARM_EXTERNAL_ASM
+tests_test_opus_projection_LDADD += libarmasm.la
+endif
 
 silk_tests_test_unit_LPC_inv_pred_gain_SOURCES = silk/tests/test_unit_LPC_inv_pred_gain.c
 silk_tests_test_unit_LPC_inv_pred_gain_LDADD = $(SILK_OBJ) $(CELT_OBJ) $(NE10_LIBS) $(LIBM)
diff --git a/celt/arch.h b/celt/arch.h
index d1e6457c..ffca8cf3 100644
--- a/celt/arch.h
+++ b/celt/arch.h
@@ -56,25 +56,40 @@
 
 #define CELT_SIG_SCALE 32768.f
 
-#define celt_fatal(str) _celt_fatal(str, __FILE__, __LINE__);
-#ifdef ENABLE_ASSERTIONS
+#define CELT_FATAL(str) celt_fatal(str, __FILE__, __LINE__);
+
+#if defined(ENABLE_ASSERTIONS) || defined(ENABLE_HARDENING)
+#ifdef __GNUC__
+__attribute__((noreturn))
+#endif
+void celt_fatal(const char *str, const char *file, int line);
+
+#if defined(CELT_C) && !defined(OVERRIDE_celt_fatal)
 #include <stdio.h>
 #include <stdlib.h>
 #ifdef __GNUC__
 __attribute__((noreturn))
 #endif
-static OPUS_INLINE void _celt_fatal(const char *str, const char *file, int line)
+void celt_fatal(const char *str, const char *file, int line)
 {
    fprintf (stderr, "Fatal (internal) error in %s, line %d: %s\n", file, line, str);
    abort();
 }
-#define celt_assert(cond) {if (!(cond)) {celt_fatal("assertion failed: " #cond);}}
-#define celt_assert2(cond, message) {if (!(cond)) {celt_fatal("assertion failed: " #cond "\n" message);}}
+#endif
+
+#define celt_assert(cond) {if (!(cond)) {CELT_FATAL("assertion failed: " #cond);}}
+#define celt_assert2(cond, message) {if (!(cond)) {CELT_FATAL("assertion failed: " #cond "\n" message);}}
 #else
 #define celt_assert(cond)
 #define celt_assert2(cond, message)
 #endif
 
+#if defined(ENABLE_ASSERTIONS)
+#define celt_sig_assert(cond) {if (!(cond)) {CELT_FATAL("signal assertion failed: " #cond);}}
+#else
+#define celt_sig_assert(cond)
+#endif
+
 #define IMUL32(a,b) ((a)*(b))
 
 #define MIN16(a,b) ((a) < (b) ? (a) : (b))   /**< Minimum 16-bit value.   */
diff --git a/celt/arm/celt_neon_intr.c b/celt/arm/celt_neon_intr.c
index cf443988..effda769 100644
--- a/celt/arm/celt_neon_intr.c
+++ b/celt/arm/celt_neon_intr.c
@@ -196,7 +196,7 @@ void celt_pitch_xcorr_float_neon(const opus_val16 *_x, const opus_val16 *_y,
    int i;
    (void)arch;
    celt_assert(max_pitch > 0);
-   celt_assert((((unsigned char *)_x-(unsigned char *)NULL)&3)==0);
+   celt_sig_assert((((unsigned char *)_x-(unsigned char *)NULL)&3)==0);
 
    for (i = 0; i < (max_pitch-3); i += 4) {
       xcorr_kernel_neon_float((const float32_t *)_x, (const float32_t *)_y+i,
diff --git a/celt/bands.c b/celt/bands.c
index 19a5f1af..52228f7d 100644
--- a/celt/bands.c
+++ b/celt/bands.c
@@ -70,10 +70,10 @@ opus_int16 bitexact_cos(opus_int16 x)
    opus_int32 tmp;
    opus_int16 x2;
    tmp = (4096+((opus_int32)(x)*(x)))>>13;
-   celt_assert(tmp<=32767);
+   celt_sig_assert(tmp<=32767);
    x2 = tmp;
    x2 = (32767-x2) + FRAC_MUL16(x2, (-7651 + FRAC_MUL16(x2, (8277 + FRAC_MUL16(-626, x2)))));
-   celt_assert(x2<=32766);
+   celt_sig_assert(x2<=32766);
    return 1+x2;
 }
 
@@ -282,7 +282,7 @@ void anti_collapse(const CELTMode *m, celt_norm *X_, unsigned char *collapse_mas
 
       N0 = m->eBands[i+1]-m->eBands[i];
       /* depth in 1/8 bits */
-      celt_assert(pulses[i]>=0);
+      celt_sig_assert(pulses[i]>=0);
       depth = celt_udiv(1+pulses[i], (m->eBands[i+1]-m->eBands[i]))>>LM;
 
 #ifdef FIXED_POINT
diff --git a/celt/cwrs.c b/celt/cwrs.c
index 9722f0ac..a552e4f0 100644
--- a/celt/cwrs.c
+++ b/celt/cwrs.c
@@ -482,7 +482,7 @@ static opus_val32 cwrsi(int _n,int _k,opus_uint32 _i,int *_y){
       k0=_k;
       q=row[_n];
       if(q>_i){
-        celt_assert(p>q);
+        celt_sig_assert(p>q);
         _k=_n;
         do p=CELT_PVQ_U_ROW[--_k][_n];
         while(p>_i);
diff --git a/celt/entcode.h b/celt/entcode.h
index 13d6c84e..3763e3f2 100644
--- a/celt/entcode.h
+++ b/celt/entcode.h
@@ -122,7 +122,7 @@ opus_uint32 ec_tell_frac(ec_ctx *_this);
 
 /* Tested exhaustively for all n and for 1<=d<=256 */
 static OPUS_INLINE opus_uint32 celt_udiv(opus_uint32 n, opus_uint32 d) {
-   celt_assert(d>0);
+   celt_sig_assert(d>0);
 #ifdef USE_SMALL_DIV_TABLE
    if (d>256)
       return n/d;
@@ -138,7 +138,7 @@ static OPUS_INLINE opus_uint32 celt_udiv(opus_uint32 n, opus_uint32 d) {
 }
 
 static OPUS_INLINE opus_int32 celt_sudiv(opus_int32 n, opus_int32 d) {
-   celt_assert(d>0);
+   celt_sig_assert(d>0);
 #ifdef USE_SMALL_DIV_TABLE
    if (n<0)
       return -(opus_int32)celt_udiv(-n, d);
diff --git a/celt/mathops.c b/celt/mathops.c
index 21a01f52..78b52cc8 100644
--- a/celt/mathops.c
+++ b/celt/mathops.c
@@ -182,7 +182,7 @@ opus_val32 celt_rcp(opus_val32 x)
    int i;
    opus_val16 n;
    opus_val16 r;
-   celt_assert2(x>0, "celt_rcp() only defined for positive values");
+   celt_sig_assert(x>0);
    i = celt_ilog2(x);
    /* n is Q15 with range [0,1). */
    n = VSHR32(x,i-15)-32768;
diff --git a/celt/mathops.h b/celt/mathops.h
index 5324c18a..5e86ff0d 100644
--- a/celt/mathops.h
+++ b/celt/mathops.h
@@ -179,7 +179,7 @@ static OPUS_INLINE float celt_exp2(float x)
 /** Integer log in base2. Undefined for zero and negative numbers */
 static OPUS_INLINE opus_int16 celt_ilog2(opus_int32 x)
 {
-   celt_assert2(x>0, "celt_ilog2() only defined for strictly positive numbers");
+   celt_sig_assert(x>0);
    return EC_ILOG(x)-1;
 }
 #endif
diff --git a/celt/pitch.c b/celt/pitch.c
index 38a9e68d..872582a4 100644
--- a/celt/pitch.c
+++ b/celt/pitch.c
@@ -249,7 +249,7 @@ celt_pitch_xcorr_c(const opus_val16 *_x, const opus_val16 *_y,
    opus_val32 maxcorr=1;
 #endif
    celt_assert(max_pitch>0);
-   celt_assert((((unsigned char *)_x-(unsigned char *)NULL)&3)==0);
+   celt_sig_assert((((unsigned char *)_x-(unsigned char *)NULL)&3)==0);
    for (i=0;i<max_pitch-3;i+=4)
    {
       opus_val32 sum[4]={0,0,0,0};
diff --git a/celt/quant_bands.c b/celt/quant_bands.c
index 56101b1c..39a221ed 100644
--- a/celt/quant_bands.c
+++ b/celt/quant_bands.c
@@ -457,7 +457,7 @@ void unquant_coarse_energy(const CELTMode *m, int start, int end, opus_val16 *ol
          /* It would be better to express this invariant as a
             test on C at function entry, but that isn't enough
             to make the static analyzer happy. */
-         celt_assert(c<2);
+         celt_sig_assert(c<2);
          tell = ec_tell(dec);
          if(budget-tell>=15)
          {
diff --git a/celt/tests/test_unit_entropy.c b/celt/tests/test_unit_entropy.c
index ff926586..7f674529 100644
--- a/celt/tests/test_unit_entropy.c
+++ b/celt/tests/test_unit_entropy.c
@@ -34,6 +34,7 @@
 #include <stdio.h>
 #include <math.h>
 #include <time.h>
+#define CELT_C
 #include "entcode.h"
 #include "entenc.h"
 #include "entdec.h"
diff --git a/celt/tests/test_unit_laplace.c b/celt/tests/test_unit_laplace.c
index 22951e29..727bf012 100644
--- a/celt/tests/test_unit_laplace.c
+++ b/celt/tests/test_unit_laplace.c
@@ -31,8 +31,8 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include "laplace.h"
 #define CELT_C
+#include "laplace.h"
 #include "stack_alloc.h"
 
 #include "entenc.c"
diff --git a/celt/tests/test_unit_rotation.c b/celt/tests/test_unit_rotation.c
index 267b9830..8a31b3f2 100644
--- a/celt/tests/test_unit_rotation.c
+++ b/celt/tests/test_unit_rotation.c
@@ -33,8 +33,6 @@
 #define CUSTOM_MODES
 #endif
 
-#define CELT_C
-
 #include <stdio.h>
 #include <stdlib.h>
 #include "vq.h"
diff --git a/celt/vq.c b/celt/vq.c
index 8ef80e50..a6b5552d 100644
--- a/celt/vq.c
+++ b/celt/vq.c
@@ -230,12 +230,12 @@ opus_val16 op_pvq_search_c(celt_norm *X, int *iy, int K, int N, int arch)
          pulsesLeft -= iy[j];
       }  while (++j<N);
    }
-   celt_assert2(pulsesLeft>=0, "Allocated too many pulses in the quick pass");
+   celt_sig_assert(pulsesLeft>=0);
 
    /* This should never happen, but just in case it does (e.g. on silence)
       we fill the first bin with pulses. */
 #ifdef FIXED_POINT_DEBUG
-   celt_assert2(pulsesLeft<=N+3, "Not enough pulses in the quick pass");
+   celt_sig_assert(pulsesLeft<=N+3);
 #endif
    if (pulsesLeft > N+3)
    {
diff --git a/celt/x86/vq_sse2.c b/celt/x86/vq_sse2.c
index 6a317703..77504286 100644
--- a/celt/x86/vq_sse2.c
+++ b/celt/x86/vq_sse2.c
@@ -135,7 +135,7 @@ opus_val16 op_pvq_search_sse2(celt_norm *_X, int *iy, int K, int N, int arch)
    }
    X[N] = X[N+1] = X[N+2] = -100;
    y[N] = y[N+1] = y[N+2] = 100;
-   celt_assert2(pulsesLeft>=0, "Allocated too many pulses in the quick pass");
+   celt_sig_assert(pulsesLeft>=0);
 
    /* This should never happen, but just in case it does (e.g. on silence)
       we fill the first bin with pulses. */
diff --git a/configure.ac b/configure.ac
index 3bd683b3..4b416fe5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -759,6 +759,14 @@ AS_IF([test "$enable_assertions" = "yes"], [
   AC_DEFINE([ENABLE_ASSERTIONS], [1], [Assertions])
 ])
 
+AC_ARG_ENABLE([hardening],
+    [AS_HELP_STRING([--enable-hardening],[enable run-time checks that are cheap and safe for use in production])],,
+    [enable_hardening=no])
+
+AS_IF([test "$enable_hardening" = "yes"], [
+  AC_DEFINE([ENABLE_HARDENING], [1], [Hardening])
+])
+
 AC_ARG_ENABLE([fuzzing],
     [AS_HELP_STRING([--enable-fuzzing],[causes the encoder to make random decisions])],,
     [enable_fuzzing=no])
@@ -919,6 +927,7 @@ AC_MSG_NOTICE([
       Run-time CPU detection: ........ ${rtcd_support}
       Custom modes: .................. ${enable_custom_modes}
       Assertion checking: ............ ${enable_assertions}
+      Hardening: ..................... ${enable_hardening}
       Fuzzing: ....................... ${enable_fuzzing}
       Check ASM: ..................... ${enable_check_asm}
       Ambisonics support: ............ ${enable_ambisonics}
diff --git a/tests/test_opus_projection.c b/tests/test_opus_projection.c
index 3068cd38..6679a0e7 100644
--- a/tests/test_opus_projection.c
+++ b/tests/test_opus_projection.c
@@ -39,8 +39,8 @@
 #include "test_opus_common.h"
 #include "opus_projection.h"
 #include "mathops.h"
-#include "../src/mapping_matrix.c"
-#include "mathops.c"
+#include "../src/mapping_matrix.h"
+#include "mathops.h"
 
 #ifdef ENABLE_EXPERIMENTAL_AMBISONICS
 
@@ -103,9 +103,9 @@ void test_simple_matrix(void)
   MappingMatrix *simple_matrix;
 
   /* Allocate input/output buffers. */
-  input_val16 = (opus_val16 *)opus_alloc(align(sizeof(opus_val16) * SIMPLE_MATRIX_INPUT_SIZE));
-  output_int16 = (opus_int16 *)opus_alloc(align(sizeof(opus_int16) * SIMPLE_MATRIX_OUTPUT_SIZE));
-  output_val16 = (opus_val16 *)opus_alloc(align(sizeof(opus_val16) * SIMPLE_MATRIX_OUTPUT_SIZE));
+  input_val16 = (opus_val16 *)opus_alloc(sizeof(opus_val16) * SIMPLE_MATRIX_INPUT_SIZE);
+  output_int16 = (opus_int16 *)opus_alloc(sizeof(opus_int16) * SIMPLE_MATRIX_OUTPUT_SIZE);
+  output_val16 = (opus_val16 *)opus_alloc(sizeof(opus_val16) * SIMPLE_MATRIX_OUTPUT_SIZE);
 
   /* Initialize matrix */
   simple_matrix_size = mapping_matrix_get_size(simple_matrix_params.rows,